diff --git a/sigma/builtin/firewall_as/win_firewall_as_add_rule.yml b/sigma/builtin/firewall_as/win_firewall_as_add_rule.yml index d30605c76..89044766d 100644 --- a/sigma/builtin/firewall_as/win_firewall_as_add_rule.yml +++ b/sigma/builtin/firewall_as/win_firewall_as_add_rule.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 date: 2022/02/19 -modified: 2023/09/09 +modified: 2024/05/10 tags: - attack.defense_evasion - attack.t1562.004 @@ -23,8 +23,9 @@ detection: EventID: - 2004 # A rule has been added to the Windows Defender Firewall exception list - 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11) + - 2097 filter_main_block: - Action: 2 + Action: 2 # Block filter_main_generic: ApplicationPath|contains: - :\Program Files (x86)\ @@ -41,6 +42,7 @@ detection: ApplicationPath|contains: - :\PerfLogs\ - :\Temp\ + - :\Tmp\ - :\Users\Public\ - :\Windows\Tasks\ - :\Windows\Temp\ diff --git a/sigma/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml b/sigma/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml index c9cd4d4b8..bcf3783e1 100644 --- a/sigma/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml +++ b/sigma/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml @@ -12,7 +12,7 @@ references: - https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/# author: frack113 date: 2023/02/26 -modified: 2024/01/22 +modified: 2024/05/10 tags: - attack.defense_evasion - attack.t1562.004 @@ -26,15 +26,17 @@ detection: EventID: - 2004 # A rule has been added to the Windows Defender Firewall exception list. (Windows 10) - 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11) + - 2097 ApplicationPath|contains: - :\PerfLogs\ - :\Temp\ + - :\Tmp\ - :\Users\Public\ - :\Windows\Tasks\ - :\Windows\Temp\ - \AppData\Local\Temp\ filter_main_block: - Action: 2 + Action: 2 # Block condition: firewall_as and (selection and not 1 of filter_main_*) falsepositives: - Unknown diff --git a/sigma/builtin/firewall_as/win_firewall_as_add_rule_wmiprvse.yml b/sigma/builtin/firewall_as/win_firewall_as_add_rule_wmiprvse.yml new file mode 100644 index 000000000..e1b07ee4e --- /dev/null +++ b/sigma/builtin/firewall_as/win_firewall_as_add_rule_wmiprvse.yml @@ -0,0 +1,36 @@ +title: New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE +id: ac6e5dab-06d1-5064-a91c-0eb6246d22bd +related: + - id: eca81e8d-09e1-4d04-8614-c91f44fd0519 + type: derived +status: experimental +description: | + Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE). + This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule". +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule + - https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170 + - https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/ +author: frack113, Nasreddine Bencherchali (Nextron Systems) +date: 2024/05/10 +tags: + - attack.defense_evasion + - attack.t1562.004 +logsource: + product: windows + service: firewall-as +detection: + firewall_as: + Channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall + selection: + EventID: + - 2004 # A rule has been added to the Windows Defender Firewall exception list + - 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11) + - 2097 + Action: 3 # Allow + ModifyingApplication|endswith: :\Windows\System32\wbem\WmiPrvSE.exe + condition: firewall_as and selection +falsepositives: + - Administrator scripts or activity. +level: medium +ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_disable_uac_registry.yml b/sigma/builtin/registry/registry_set/registry_set_disable_uac_registry.yml deleted file mode 100644 index 30335e094..000000000 --- a/sigma/builtin/registry/registry_set/registry_set_disable_uac_registry.yml +++ /dev/null @@ -1,32 +0,0 @@ -title: Disable UAC Using Registry -id: 6665e720-ff59-40c7-6fc2-63c2990aef5f -related: - - id: 48437c39-9e5f-47fb-af95-3d663c3f2919 - type: derived -status: experimental -description: Detects when an attacker tries to disable User Account Control (UAC) by changing its registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0 -references: - - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-8---disable-uac-using-regexe -author: frack113 -date: 2022/01/05 -modified: 2023/08/17 -tags: - - attack.privilege_escalation - - attack.defense_evasion - - attack.t1548.002 - - sysmon -logsource: - category: registry_set - product: windows -detection: - registry_set: - EventID: 4657 - Channel: Security - selection: - ObjectName|contains: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA - NewValue: DWORD (0x00000000) - condition: registry_set and selection -falsepositives: - - Unknown -level: medium -ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_uac_disable.yml b/sigma/builtin/registry/registry_set/registry_set_uac_disable.yml new file mode 100644 index 000000000..b136e2b56 --- /dev/null +++ b/sigma/builtin/registry/registry_set/registry_set_uac_disable.yml @@ -0,0 +1,30 @@ +title: UAC Disabled +id: 6665e720-ff59-40c7-6fc2-63c2990aef5f +status: stable +description: | + Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md +author: frack113 +date: 2022/01/05 +modified: 2024/05/10 +tags: + - attack.privilege_escalation + - attack.defense_evasion + - attack.t1548.002 + - sysmon +logsource: + category: registry_set + product: windows +detection: + registry_set: + EventID: 4657 + Channel: Security + selection: + ObjectName|contains: \Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA + NewValue: DWORD (0x00000000) + condition: registry_set and selection +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_uac_disable_notification.yml b/sigma/builtin/registry/registry_set/registry_set_uac_disable_notification.yml new file mode 100644 index 000000000..052811714 --- /dev/null +++ b/sigma/builtin/registry/registry_set/registry_set_uac_disable_notification.yml @@ -0,0 +1,32 @@ +title: UAC Notification Disabled +id: 4936b46c-badc-cb8a-54d4-3d0b9502aa8a +status: experimental +description: | + Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value. + UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users. + When "UACDisableNotify" is set to 1, UAC prompts are suppressed. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md + - https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/ +author: frack113, Nasreddine Bencherchali (Nextron Systems) +date: 2024/05/10 +tags: + - attack.privilege_escalation + - attack.defense_evasion + - attack.t1548.002 + - sysmon +logsource: + category: registry_set + product: windows +detection: + registry_set: + EventID: 4657 + Channel: Security + selection: + ObjectName|contains: \Microsoft\Security Center\UACDisableNotify + NewValue: DWORD (0x00000001) + condition: registry_set and selection +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_uac_disable_secure_desktop_prompt.yml b/sigma/builtin/registry/registry_set/registry_set_uac_disable_secure_desktop_prompt.yml new file mode 100644 index 000000000..a3bdb278f --- /dev/null +++ b/sigma/builtin/registry/registry_set/registry_set_uac_disable_secure_desktop_prompt.yml @@ -0,0 +1,31 @@ +title: UAC Secure Desktop Prompt Disabled +id: 4475b3bd-9b24-b189-1118-871c5fe3fe17 +status: experimental +description: | + Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value. + The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts. + When "PromptOnSecureDesktop" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md +author: frack113 +date: 2024/05/10 +tags: + - attack.privilege_escalation + - attack.defense_evasion + - attack.t1548.002 + - sysmon +logsource: + category: registry_set + product: windows +detection: + registry_set: + EventID: 4657 + Channel: Security + selection: + ObjectName|contains: \Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop + NewValue: DWORD (0x00000000) + condition: registry_set and selection +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/sigma/builtin/threat-hunting/powershell/powershell_script/posh_ps_new_netfirewallrule_allow.yml b/sigma/builtin/threat-hunting/powershell/powershell_script/posh_ps_new_netfirewallrule_allow.yml new file mode 100644 index 000000000..56b78064e --- /dev/null +++ b/sigma/builtin/threat-hunting/powershell/powershell_script/posh_ps_new_netfirewallrule_allow.yml @@ -0,0 +1,37 @@ +title: New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock +id: 40fd8a4e-3820-0edf-530e-53785ee863e9 +related: + - id: 51483085-0cba-46a8-837e-4416496d6971 + type: similar + - id: 8d31dd2e-b582-48ca-826e-dcaa2c1ca264 + type: derived +status: experimental +description: | + Detects when a powershell script contains calls to the "New-NetFirewallRule" cmdlet in order to add a new firewall rule with an "Allow" action. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule + - https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170 + - https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/ +author: frack113 +date: 2024/05/10 +tags: + - attack.defense_evasion + - attack.t1562.004 + - detection.threat_hunting +logsource: + product: windows + category: ps_script + definition: 'Requirements: Script Block Logging must be enabled' +detection: + ps_script: + EventID: 4104 + Channel: + - Microsoft-Windows-PowerShell/Operational + - PowerShellCore/Operational + selection: + ScriptBlockText|contains: New-NetFirewallRule*-Action*Allow + condition: ps_script and selection +falsepositives: + - Administrator script +level: low +ruletype: Sigma diff --git a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_powershell_new_netfirewallrule_allow.yml b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_powershell_new_netfirewallrule_allow.yml new file mode 100644 index 000000000..b006fda0b --- /dev/null +++ b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_powershell_new_netfirewallrule_allow.yml @@ -0,0 +1,36 @@ +title: New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet +id: 9a19f541-5164-a71e-b29a-91d7d34d09e6 +status: experimental +description: | + Detects calls to the "New-NetFirewallRule" cmdlet from PowerShell in order to add a new firewall rule with an "Allow" action. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule + - https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170 + - https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/ +author: frack113 +date: 2024/05/03 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_name: + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + - \powershell_ise.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll + selection_args: + CommandLine|contains|all: + - 'New-NetFirewallRule ' + - ' -Action ' + - allow + condition: process_creation and (all of selection_*) +falsepositives: + - Administrator script +level: low +ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_set/registry_set_disable_uac_registry.yml b/sigma/sysmon/registry/registry_set/registry_set_uac_disable.yml similarity index 51% rename from sigma/sysmon/registry/registry_set/registry_set_disable_uac_registry.yml rename to sigma/sysmon/registry/registry_set/registry_set_uac_disable.yml index 7b961d156..73122f6e4 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_disable_uac_registry.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_uac_disable.yml @@ -1,15 +1,20 @@ -title: Disable UAC Using Registry +title: UAC Disabled id: 56aa7436-715f-5aa2-dd48-916fa34bd24a related: + - id: c5f6a85d-b647-40f7-bbad-c10b66bab038 + type: similar + - id: 0d7ceeef-3539-4392-8953-3dc664912714 + type: similar - id: 48437c39-9e5f-47fb-af95-3d663c3f2919 type: derived -status: experimental -description: Detects when an attacker tries to disable User Account Control (UAC) by changing its registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0 +status: stable +description: | + Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0. references: - - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-8---disable-uac-using-regexe + - https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md author: frack113 date: 2022/01/05 -modified: 2023/08/17 +modified: 2024/05/10 tags: - attack.privilege_escalation - attack.defense_evasion @@ -23,7 +28,7 @@ detection: EventID: 13 Channel: Microsoft-Windows-Sysmon/Operational selection: - TargetObject|contains: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA + TargetObject|contains: \Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Details: DWORD (0x00000000) condition: registry_set and selection falsepositives: diff --git a/sigma/sysmon/registry/registry_set/registry_set_uac_disable_notification.yml b/sigma/sysmon/registry/registry_set/registry_set_uac_disable_notification.yml new file mode 100644 index 000000000..3d611744b --- /dev/null +++ b/sigma/sysmon/registry/registry_set/registry_set_uac_disable_notification.yml @@ -0,0 +1,39 @@ +title: UAC Notification Disabled +id: ede4148c-b047-cbbc-092c-88f52e003420 +related: + - id: 0d7ceeef-3539-4392-8953-3dc664912714 + type: similar + - id: 48437c39-9e5f-47fb-af95-3d663c3f2919 + type: similar + - id: c5f6a85d-b647-40f7-bbad-c10b66bab038 + type: derived +status: experimental +description: | + Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value. + UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users. + When "UACDisableNotify" is set to 1, UAC prompts are suppressed. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md + - https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/ +author: frack113, Nasreddine Bencherchali (Nextron Systems) +date: 2024/05/10 +tags: + - attack.privilege_escalation + - attack.defense_evasion + - attack.t1548.002 + - sysmon +logsource: + category: registry_set + product: windows +detection: + registry_set: + EventID: 13 + Channel: Microsoft-Windows-Sysmon/Operational + selection: + TargetObject|contains: \Microsoft\Security Center\UACDisableNotify + Details: DWORD (0x00000001) + condition: registry_set and selection +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_set/registry_set_uac_disable_secure_desktop_prompt.yml b/sigma/sysmon/registry/registry_set/registry_set_uac_disable_secure_desktop_prompt.yml new file mode 100644 index 000000000..c9a4bbbfc --- /dev/null +++ b/sigma/sysmon/registry/registry_set/registry_set_uac_disable_secure_desktop_prompt.yml @@ -0,0 +1,38 @@ +title: UAC Secure Desktop Prompt Disabled +id: 0c1c42d3-6cb3-103a-ff14-8d1de5276525 +related: + - id: c5f6a85d-b647-40f7-bbad-c10b66bab038 + type: similar + - id: 48437c39-9e5f-47fb-af95-3d663c3f2919 + type: similar + - id: 0d7ceeef-3539-4392-8953-3dc664912714 + type: derived +status: experimental +description: | + Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value. + The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts. + When "PromptOnSecureDesktop" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md +author: frack113 +date: 2024/05/10 +tags: + - attack.privilege_escalation + - attack.defense_evasion + - attack.t1548.002 + - sysmon +logsource: + category: registry_set + product: windows +detection: + registry_set: + EventID: 13 + Channel: Microsoft-Windows-Sysmon/Operational + selection: + TargetObject|contains: \Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop + Details: DWORD (0x00000000) + condition: registry_set and selection +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/sigma/sysmon/threat-hunting/file/file_event/file_event_win_webdav_tmpfile_creation.yml b/sigma/sysmon/threat-hunting/file/file_event/file_event_win_webdav_tmpfile_creation.yml index 6fa80fd76..cd26c221a 100644 --- a/sigma/sysmon/threat-hunting/file/file_event/file_event_win_webdav_tmpfile_creation.yml +++ b/sigma/sysmon/threat-hunting/file/file_event/file_event_win_webdav_tmpfile_creation.yml @@ -1,6 +1,8 @@ title: WebDAV Temporary Local File Creation id: 06a97bed-3a7a-53a7-842e-bc751b7a3e1f related: + - id: 1ae64f96-72b6-48b3-ad3d-e71dff6c6398 + type: similar - id: 4c55738d-72d8-490e-a2db-7969654e375f type: derived status: experimental @@ -8,6 +10,7 @@ description: Detects the creation of WebDAV temporary files with potentially sus references: - https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html - https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462 + - https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4 author: Micah Babinski date: 2023/08/21 tags: diff --git a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_powershell_new_netfirewallrule_allow.yml b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_powershell_new_netfirewallrule_allow.yml new file mode 100644 index 000000000..b497e642c --- /dev/null +++ b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_powershell_new_netfirewallrule_allow.yml @@ -0,0 +1,43 @@ +title: New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet +id: 4b64c673-1edf-e1f1-5432-ab06d36248ee +related: + - id: 8d31dd2e-b582-48ca-826e-dcaa2c1ca264 + type: similar + - id: 51483085-0cba-46a8-837e-4416496d6971 + type: derived +status: experimental +description: | + Detects calls to the "New-NetFirewallRule" cmdlet from PowerShell in order to add a new firewall rule with an "Allow" action. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule + - https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170 + - https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/ +author: frack113 +date: 2024/05/03 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 1 + Channel: Microsoft-Windows-Sysmon/Operational + selection_name: + - Image|endswith: + - \powershell.exe + - \pwsh.exe + - \powershell_ise.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll + selection_args: + CommandLine|contains|all: + - 'New-NetFirewallRule ' + - ' -Action ' + - allow + condition: process_creation and (all of selection_*) +falsepositives: + - Administrator script +level: low +tags: + - sysmon +ruletype: Sigma